/etc/passwd
The /etc/passwd file contains information about user accounts. It is world-readable, but usually only writable by the root user.
Enumeration
We are going to exploit a misconfigured /etc/passwd file to escalate our privileges to root. Let’s check the permission on /etc/passwd.
As you can see, we have write permission on /etc/passwd file.
Exploitation
We will generate a new password and edit the /etc/passwd file by placing the generated password hash between the first and second colon (:) of the root user’s row (replacing the “x”). This will replace the password of the root user. After that, we will use the password to login to root account.
Well…As you can see, we have logged in as root user.